The Need for a Business Case for Security
Security has a “seat at the table,” now what? Proactively establishing a clear, concise, measured and proven business case, to educate decision makers is essential in strategic alignment. It is also a means to convince executive and board level stakeholders to take some kind of action. Even the most seasoned security leaders are being asked to prove program and service value like any other business unit, most notably during times of business transformation. Creating a solid ROI case is a current must for maximizing executive-level influence.
Contract Security Officer Force Optimization
Senior leadership frequently challenges the uniformed security officer budget given it is often the largest line item on any corporate security budget. By clearly defining and refining the security department goals, security can ensure the value of the security officer program by showing it is maintaining desired levels of performance and cost. Some recent examples include reviews of existing contracts, assistance with a request for proposals and defining key performance indicators. These types of activities are conducted to look for gaps, (e.g., staffing levels, services), cost reduction potential and quality control improvements.
Core Program Enhancement
We’re finding many companies haven’t kept pace with change and innovation for core programs often developed many years ago. Therefore, these programs are not in line with business changes. A current emphasis is on optimizing core security programs, for example, event, executive protection, ID badging or re-badging, investigations, policy and governance, security operations centers, travel and workplace violence. Organizations must evolve and mature across all security program areas consistent with industry standards and leading practices to meet senior management’s expectations.
Keeping Up to Date with Security Program State of the Industry
Media influence is real, and your CEO is paying attention! Senior business leaders are watching risk trends more than ever before through daily doses of the Wall Street Journal, the Financial Times, the New York Times and other news media. Given the “risk of the day” mentality, security leaders want to be better prepared to have discussions around how their programs can contribute to the reduction of unwanted risk. The issues include:
• At-risk-personnel programs (e.g., events, travel and workplace violence)
• Background investigations
• Critical incident management
• Insider risk
Getting the right information is critical to educate, prioritize and align with senior leadership’s concerns.
Creating a Corporate Security Regulations and Standards Baseline
A surge of security leaders are finding risk-based program development is less influential internally than regulatory and standards-based programming development and are acting on this. Some of this move is due to counteract an internal loss of priority to IT/cyber security. Going through the process to know what requirements and/or standards with security elements needed to secure the company can alleviate compliance pressure, identify potential overlap with other functions, (e.g., cyber, IT, physical, supply chain) and elevate security’s position and priority status.
Cross-Functional Global Security Operations Center
One recurring theme in this area is the desire to create a cross-functional enterprise plan by design. Operational control center cross-functional tie-ins are driven by the business, (e.g., corporate culture, product or service, risk landscape, risk tolerance, legal and regulatory requirements). Gathering internal team leads for strategy sessions can inform GSOC activities by educating non-security leaders on the plan, mapping top risks to employees and services and identifying internal/external customers.
Developing a Technology Roadmap
Companies’ personnel, products, processes and assets are exposed to a number of risks on any given day. The ability to identify, monitor, and advise on advancing threats is crucial in today’s global risk environment. Security leaders are interested in transitioning from primarily reactive alarm monitoring stations to more proactive, analytical and valued operational risk mitigation services. We are seeing access control and critical alarm management programs evolving to risk intelligent operations, which require a well-crafted plan and technology roadmap. These contain:
• An enterprise plan that is aligned and scalable for architecture/infrastructure.
• Governance, ownership and accountability of the plan.
• Prioritized and scalable technology applications (current and future).
• The details of the investment needs.
These are the current top issues we are seeing with our practitioner community. The SEC has assisted with these challenges by providing leadership and subject-matter-expertise to enable Security to evolve and create mature programs consistent with successful practices.
Response provided by Elizabeth Lancaster-Brisson, Director of Tier 1 Services and Projects, Security Executive Council.